How do I create an exception to a puppet catalog?

Specifically I want to use Puppet to manage a one-off set of firewall rules, to be combined with the default ruleset.

This is for a single legacy system only, it should get the default set of rules, AND several additional rules.

It seems silly to me to put this on the puppet master, since it truly will only ever be a one-off thing... Can I put this in the modules directory on the local machine? Will Pupped comile a catalog from the server and from the local machine?

2 Answers

Ideally, your firewall module is flexible (built with defined types), and allows for one offs.

I don't think you can combine modules on the client with modules on the master, but what you could do is use a firewall module that is parameterized, and that uses defined types for rules. This way, you would create a node definition for your one-off server in site.pp, and alter your default setup slightly by passing in the special firewall rules to the firewall module.

This way, you're not writing a bunch of extra code in specialized modules. Instead, you're ...(more)

"It seems silly to me to put this on the puppet master, since it truly will only ever be a one-off thing..."

Responding to philosophy, as a tech answer already exists: is this a one-off thing that matters? That you'd want to rebuild if it died, that you'd build again if starting from scratch? Configuration management can (and IMO should) encompass everything, not just the shared/common components.